Description
With kernel < 5.12, recursive read-only bind mount would set the read-only flag on the top-level mount, not the sub-mounts, as a result, submounts remain rw:
$ mkdir -p mounts
$ sudo mount -t tmpfs tmpfs mounts
$ sudo mkdir -p ./mounts/{foo,bar}
$ sudo mount -t tmpfs tmpfs mounts/foo
$ sudo mount -t tmpfs tmpfs mounts/bar
# only the top-level mount is ro, sub-mounts are rw
$ podman run --rm -it -v ./mounts/:/tmp/mounts:ro alpine cat /proc/self/mountinfo | grep /tmp/mounts
1605 1600 0:114 / /tmp/mounts ro,relatime - tmpfs tmpfs rw,inode64
1606 1605 0:144 / /tmp/mounts/foo rw,relatime - tmpfs tmpfs rw,inode64
1607 1605 0:169 / /tmp/mounts/bar rw,relatime - tmpfs tmpfs rw,inode64
With kernel >= 5.12, it's possible to achieve this with the introduction of mount_setattr[1]. runc and crun supports rro[2] and docker forwards the rro mount option iff the kernel supports it[3].
We can do something similar I believe as part of generateSpec, unless I'm missing something here. Open to implementing this once there's approval.
cc/ @cyphar
podman version
Client: Podman Engine
Version: 5.2.3
API Version: 5.2.3
Go Version: go1.23.1
Built: Tue Sep 24 22:37:25 2024
OS/Arch: linux/amd64
[1] - torvalds/linux@2a18672
[2] - https://github.com/opencontainers/runc/blob/9112335fb2bb9eb93d1f21c267cd5599d0d199e7/libcontainer/specconv/spec_linux.go#L112
[3] - https://github.com/moby/moby/blob/810c7c1dce5bbf76af4ed5c6bac8c47fead4f6c6/daemon/oci_linux.go#L643-L647